Permissions required to run VisualSVN Server

Applies to: VisualSVN Server 5.1 and later

All the system permissions that are needed for VisualSVN Server to function properly are automatically configured by its installer. To get VisualSVN Server to run, manual adjustment of system permissions is not required in the vast majority of cases.

This article lists several cases that are exceptions, where you may need to manually configure system permissions:

Note
The manual configuration described in this article is for the system permissions that VisualSVN Server itself needs in order to run in certain setups. This article is not related to configuring user access to repositories.

Manually granting permissions on the Repositories Root directory

You may need to manually adjust system permissions on the Repositories Root directory in the following situations:

  • when the Repositories Root directory is stored remotely (on a network share), on a different computer than the one that runs VisualSVN Server.
  • when the Repositories Root directory is stored locally, but for any reason you prefer to keep the Automatically adjust permissions option disabled in VisualSVN Server's Storage settings.

Required permissions for the Repositories Root directory

In the above-mentioned cases that require manually granting permissions, grant the permissions specified in the table. Also, see the sections below for details on setting these permissions.

Object Whom to grant Permission
Repositories Root directory*

Services:

  • VisualSVNServer (VisualSVN HTTP Service)
  • vdfssvc (VisualSVN Distributed File System Service)
  • vsvnjobsvc (VisualSVN Background Job Service)
  • vrepocfgsvc (VisualSVN Repository Configurator Service)
  • vsvnsearchsvc (VisualSVN Search Index Service)

Other:

  • The local VisualSVN Server Admins group (or domain user accounts of desired VisualSVN Server administrators)

NTFS permission:
'Modify'

Share permission:**
'Read' and 'Change' or 'Read/Write'

*By default, the location of the Repositories Root directory is: C:\Repositories, unless you have changed it during the installation or later in the VisualSVN Server's Storage settings.

**Share permissions are needed only when storing repositories remotely (in a shared folder).

Note
These system permissions should be set on the actual directory on a disk drive (for example, in Windows File Explorer), not on the Repositories node in VisualSVN Server Manager. Access rules set in VisualSVN Server Manager (or with Add-SvnAccessRule) are not relevant here, they are for controlling user access to the repositories.

Manual configuration if Repositories Root is on a network share

In case of storing repositories remotely (on a network share), you will need to manually grant two types of access permissions on the remote Repositories Root directory: NTFS permissions and Share permissions.

Note
The following instructions assume that both the local computer (running VisualSVN Server) and the remote computer are in the same Active Directory environment.

On the remote Repositories Root directory, grant the permissions listed in the table above as follows:

  • To grant access to VisualSVN Server services that run under the Network Service account (which is their default), grant permissions to the Computer account of the computer that runs VisualSVN Server. Services running under the Network Service account authenticate to remote network resources as the Computer that they run on.
  • If you have configured any VisualSVN Server services to run under a dedicated (i.e. non-default) logon account, grant permissions to this dedicated account. In this case, the dedicated logon account must be a domain user account, not a local user account.
  • Grant permissions to domain administrators and to any non-admin domain users whom you want to be able to manage your VisualSVN Server.

For more detailed instructions on how to grant the permissions listed for this case, see the section titled Configure required access permissions in the article KB22: Storing repositories on a network share.

Manual adjustment on Repositories Root when automatic adjustment is disabled

When the Repositories Root directory is local, but you want to keep automatic permission adjustment disabled, you can manually grant the permissions listed in the table above directly to specific VisualSVN Server services by using their Service Security Identifiers (Service SIDs).

Tip
To grant NTFS permissions directly to a specific service (Service SID), specify the account name in the form of NT SERVICE\<service_name>, for example: NT SERVICE\VisualSVNServer. Note that Service SIDs are local to the computer running the service, so if you are setting permissions in Windows File Explorer, make sure that when entering an account name you've selected the local computer in the Locations.

Manually granting permissions on the installation directory and its parents

You may need to manually adjust NTFS permissions on the installation directory of VisualSVN Server and on the parent directories of this installation directory in the following situations:

  • In some cases, when installing VisualSVN Server to a non-default location (for example, to D:\Applications\VisualSVN Server\).
  • If you configured the VisualSVN HTTP Service to run under a dedicated (non-default) logon account.

In all other cases VisualSVN HTTP Service will have the required permissions automatically, due to the fact that its default logon account (the Network Service account) has the required permissions.

Required permissions for the installation directory and its parents

In the above-mentioned cases that require manually granting permissions, grant the permissions specified in the table. Also, see the sections below for details on setting these permissions.

Object Whom to grant Permission
VisualSVN Server installation directory VisualSVNServer (VisualSVN HTTP Service) NTFS permission:
'Read & execute'
Parent directories of the VisualSVN Server installation directory* VisualSVNServer (VisualSVN HTTP Service) NTFS permission:
'Read & execute'
(non-recursive is sufficient)

*This includes all the parent directories of the installation directory, up to and including the disk volume. For example, by default, the VisualSVN Server installation directory and its parents are:

  • C:\Program Files\VisualSVN Server
  • C:\Program Files
  • C:\

Manual adjustment due to a dedicated logon account for VisualSVN HTTP Service

If you configured VisualSVN HTTP Service to run under a dedicated (non-default) logon account, grant the permissions listed in this section's table to this dedicated logon account. For complete instructions on how to set up VisualSVN HTTP Service to run under a dedicated account, see KB24: Configuring VisualSVN HTTP Service to run under a dedicated user account.

Manual configuration due to a non-default installation location

When installing VisualSVN Server to a non-default location, if VisualSVN HTTP Service fails to start during or after the installation, grant the permissions listed in this section's table either to the Network Service account (which is the default service logon account of VisualSVN HTTP Service) or directly to the Service SID of VisualSVN HTTP Service. The latter option is suitable if you have not canceled the installation.

Tip
To grant NTFS permissions directly to a specific service (Service SID), specify the account name in the form of NT SERVICE\<service_name>, for example: NT SERVICE\VisualSVNServer. Note that Service SIDs are local to the computer running the service, so if you are setting permissions in Windows File Explorer, make sure that when entering an account name you've selected the local computer in the Locations.
Last Modified: